[horde] spammers targeting horde/imp as spamming tool

robert sand rsand at d.umn.edu
Wed Apr 30 19:54:32 UTC 2008 

Donald,

I can only tell you about the script I wrote.  Another admin works on mail delivery.  First a little on our setup.

We are running the Debian Etch distribution of Horde/Imp and others so we are at Horde 3.1.x and Imp 4.1.x.  Our 
preference database is on another server as are our email inboxes.  Some of these spammers are setting up the default 
identity or other identities and usually using the signature to contain the body of their message.  Some set the from 
and replyto addresses to wherever they want their responses to go back to (an example follows).  The keywords I look for 
are words that normally would not show up in an identity like "UNITED NATIONS".  I've attached a copy of the php script 
I run on the database server that has our horde preferences database.

I believe that when the message is delivered to our outgoing email server it goes through a number of checks before it 
is delivered.  These checks include:

	envelope sender
	From header
	Reply-to header (if exists)
	Return-Path header (if exists)

	then 14 netblocks (/16 addrs)

	miscellaneous (e.g., 'From' containing 'compensationunit')

If you would like more information on how the checks above are done I can get that to you as well.  We are now checking 
the X-Originating-IP against the netblocks and checking the authorized user id against what the envelope says.



s:9:"sig_first";i:1;s:10:"sig_dashes";i:1;s:14:"save_sent_mail";i:1;s:16:"sent_mail_folder";s:9:"sent-mail";s:16:"default_identity";s:1:"0";}i:1;a:14:{s:16:"default_identity";s:1:"0";s:2:"id";s:14:"United 
Nations";s:8:"fullname";s:14:"United 
Nations";s:9:"from_addr";s:26:"koffi.un at unitednations.com";s:12:"replyto_addr";s:22:"mrjimovia2000 at yahoo.it";s:10:"alias_addr";a:0:{}s:10:"tieto_addr";a:0:{}s:8:"bcc_addr";a:0:{}s:8:"mail_hdr";s:0:"";s:9:"signature";s:1539:"Attention: 


How are you today? Hope all is well with you and family?,You may not
understand why this mail came to you.

We have been having a meeting for the passed 7 months which ended 2
days ago with the then secretary to the UNITED NATIONS.

This email is to all the people that have been scammed in any part of
the world, the UNITED NATIONS have agreed to compensate them with the
sum of US$ 500,000. This includes every foriegn contractors that may
have not received their contract sum, and people that have had an
unfinished transaction or international businesses that failed due to
Government probelms etc.

We found your name in our list and that is why we are contacting you,
this have been agreed upon and have been signed.
You are advised to contact Mr. Jim Ovia of ZENITH BANK PLC, as
he is our representative in Nigeria, contact him immediately for your
Cheque/ International Bank Draft of USD$500,000. This funds are in a
Bank Draft for security purpose ok? so he will send it to you and you
can clear it in any bank of your choice.

Therefore, you should send him your full Name and telephone number/your
correct mailing address where you want him to send the Draft to you.

Contact Mr. Jim Ovia immediately for your Cheque:
Person to Contact Mr. Jim Ovia
Email: mrjimovia2000 at yahoo.it

Thanks and God bless you and your family.Hoping to hear from you as
soon as you cash your Bank Draft.
Making the world a better place
Regards,

Mr. Kofi Annan
Former Secretary (UNITED NATIONS)

";s:10:"sig_dashes";i:0;s:9:"sig_first";i:0;s:14:"save_sent_mail";i:1;s:16:"sent_mail_folder";s:9:"sent-mail";}}



D G Teed wrote:
> Hi,
> 
> Perhaps you could expand on the details a little and we can all
> learn some strategies?  I don't understand what keywords you
> would search for which could be indicative of spammer or a compromised account.
> 
> Also, where or how do you sent up this rule to control the abuse of envelope
> and header values?
> 
> --Donald
> 


-- 
Robert Sand.
mailto:rsand at d.umn.edu
1028 Kirby Drive
366 K Plz
Duluth, MN 55812-3095
218-726-6122        fax 218-726-7674

"Walk behind me I may not lead, Walk in front of me I may not follow,
Walk beside me and we walk together"  UTE Tribal proverb.

More information about the horde mailing list